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AMENDMENTS TO THE CLAIMS: 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

LISTING OF CLAIMS 

1 . (Original) Method for performing network surveillance, said method comprising 
the steps of: 

receiving a plurality of network packets handled by a network entity; 
building at least one statistical profile from at least one measure of said plurality 
of network packets; and 

analyzing said at least one statistical profile to detect suspicious network activity. 

2. (Original) The method of claim 1 , wherein said at least one measure monitors 
data transfers by monitoring network packet data transfer commands. 

3. (Original) The method of claim 1 , wherein said at least one measure monitors 
data transfers by monitoring network packet data transfer errors. 

4. (Original) The method of claim 1, wherein said at least one measure monitors 
data transfers by monitoring network packet data transfer volume. 

5. (Original) The method of claim 1, wherein said at least one measure monitors 
network connections by monitoring network connection requests. 

6. The method of claim 1 , wherein said at least one measure monitors network 
connections by monitoring network connection denials. 

7. (Original) The method of claim 1, wherein said at least one measure monitors 
network connections by monitoring a correlation of network connections requests and 
network connection denials. 
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8. (Original) The method of claim 1, wherein said at least one measure monitors 
errors by monitoring at least one error code included in a network packet, wherein said 
at least one error code comprises a privilege error code or an error code indicating a 
reason a packet was rejected. 

9. (Original) The method of claim 1 , further comprising the step of: 
responding based on determining whether said at least one statistical profile 

indicates suspicious network activity. 

10. (Original) The method of claim 9, wherein said responding step comprises 
transmitting an event record to a network monitor. 

1 1 . (Original) The method of claim 10, wherein said transmitting the event record to 
a network monitor step comprises transmitting the event record to a hierarchically 
higher network monitor. 

12. (Original) The method of claim 1 1 , wherein said transmitting the event record to 
a network monitor step comprises transmitting the event record to a network monitor 
that receives event records from a plurality of network monitors. 

13. (Original) The method of claim 12, wherein said network monitor that receives 
event records from said plurality of network monitors comprises a network monitor that 
correlates activity in said plurality of network monitors based on said received event 
records. 

14. (Original) The method of claim 9, wherein said responding step comprises 
altering said analysis of said plurality of network packets. 

15. (Original) The method of claim 9, wherein said responding step comprises 
severing a communication channel. 
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16. (Original) The method of claim 1 , wherein said network entity comprises at least 
one of a gateway, a router, a proxy server, a firewall, and a virtual private network 
(VPN) entity. 

17. (Original) The method of claim 1 , wherein said plurality of network packets are 
partitioning into a plurality of sessions representing a communication transaction 
between two hosts. 

18. (Original) The method of claim 17, wherein said at least one measure monitors 
network connections by monitoring a source port number and a destination port number 
included in one of said network packets. 

19. (Original) A computer-readable medium having stored thereon a plurality of 
instructions, the plurality of instructions including instructions which, when executed by 
a processor, cause the processor to perform the steps comprising of: 

receiving a plurality of network packets handled by a network entity; 
building at least one statistical profile from at least one measure of said plurality 
of network packets; and 

analyzing said at least one statistical profile to detect suspicious network activity. 

20. (Original) Apparatus for performing network surveillance, said apparatus 
comprising: 

means for receiving a plurality of network packets handled by a network entity; 

means for building at least one statistical profile from at least one measure of 
said plurality of network packets; and 

means for analyzing said at least one statistical profile to detect suspicious 
network activity. 
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